Damien Coles
f172d00514
Infrastructure-as-code framework for Active Directory objects and Group Policy. Sanitized from production deployment for public sharing.
99 lines
3.3 KiB
PowerShell
99 lines
3.3 KiB
PowerShell
# Admins-01 -- Settings Declaration
|
|
# Linked to: OU=ExampleAdmins,DC=example,DC=internal
|
|
#
|
|
# This GPO targets delegated administrator accounts.
|
|
# No desktop restrictions -- admins need access to management tools.
|
|
# Focus is on accountability (logging) and session security (screen lock).
|
|
# All settings are User Configuration (HKCU).
|
|
|
|
@{
|
|
GPOName = 'Admins-01'
|
|
Description = 'Admin account policy -- session lock, PS logging, taskbar cleanup'
|
|
|
|
DisableComputerConfiguration = $true
|
|
|
|
LinkTo = 'OU=ExampleAdmins,DC=example,DC=internal'
|
|
|
|
# No security policy settings -- admin privileges come from group membership, not GPO
|
|
SecurityPolicy = @{}
|
|
|
|
RegistrySettings = @(
|
|
|
|
# =============================================================
|
|
# Session Security -- Screensaver Lock
|
|
# =============================================================
|
|
|
|
# Enable screensaver (required for timeout lock to work)
|
|
@{
|
|
Key = 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop'
|
|
ValueName = 'ScreenSaveActive'
|
|
Type = 'String'
|
|
Value = '1'
|
|
}
|
|
|
|
# Screensaver timeout: 10 minutes (600 seconds)
|
|
@{
|
|
Key = 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop'
|
|
ValueName = 'ScreenSaveTimeOut'
|
|
Type = 'String'
|
|
Value = '600'
|
|
}
|
|
|
|
# Password-protect the screensaver (require unlock)
|
|
@{
|
|
Key = 'HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop'
|
|
ValueName = 'ScreenSaverIsSecure'
|
|
Type = 'String'
|
|
Value = '1'
|
|
}
|
|
|
|
# =============================================================
|
|
# Accountability -- PowerShell Logging
|
|
# =============================================================
|
|
|
|
# Enable PowerShell script block logging
|
|
@{
|
|
Key = 'HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
|
|
ValueName = 'EnableScriptBlockLogging'
|
|
Type = 'DWord'
|
|
Value = 1
|
|
}
|
|
|
|
# Enable PowerShell transcription
|
|
@{
|
|
Key = 'HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription'
|
|
ValueName = 'EnableTranscripting'
|
|
Type = 'DWord'
|
|
Value = 1
|
|
}
|
|
|
|
# =============================================================
|
|
# Taskbar Cleanup
|
|
# =============================================================
|
|
|
|
# Disable Windows Copilot
|
|
@{
|
|
Key = 'HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot'
|
|
ValueName = 'TurnOffWindowsCopilot'
|
|
Type = 'DWord'
|
|
Value = 1
|
|
}
|
|
|
|
# Hide Widgets on taskbar
|
|
@{
|
|
Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced'
|
|
ValueName = 'TaskbarDa'
|
|
Type = 'DWord'
|
|
Value = 0
|
|
}
|
|
|
|
# Hide Search box on taskbar (0=Hidden, 1=Icon, 2=Full box)
|
|
@{
|
|
Key = 'HKCU\Software\Microsoft\Windows\CurrentVersion\Search'
|
|
ValueName = 'SearchboxTaskbarMode'
|
|
Type = 'DWord'
|
|
Value = 0
|
|
}
|
|
)
|
|
}
|